Do Not Track has been effectively dead for 1.5 years. Very few advertising companies ever supported it due to Microsoft's decision to buck the spec and enable it by default for all IE10 users (a transparent attack on Google by a company whose own advertising business had just imploded in a $4B write-off).

The original agreement was carefully hashed out between advertisers and browser vendors with the understanding that only a small percentage of users would be opting out. When Microsoft reneged on that, the advertising industry backed out.

Whatever you think about online tracking, the voluntary nature of DNT and the complete lack of enforceability (there's no way, as a user, to determine whether a company is following DNT) made it pretty useless. True privacy protection needs to be on the client side (like script blocking or 3rd party cookie blocking), not on the server side.

What level of "not by default" would have been acceptable to advertisers? I suspect they would be happy only if the option was disabled by default and hidden from view. An uninformed consumer is a trackable consumer.

I have. You have to click through to a separate screen to get the option to disable it. If you try that, it will warn you on the next screen that you are not using the recommended settings. Then variously using IE10 you will get prompted to use the recommended settings. Microsoft makes it pretty hard for an average person to disable it.

DNT was a voluntary standard, and the advertisers refused to buy in unless it was off by default (the vast majority of people will not change defaults, even if you make it easy for them). Microsoft violated that agreement to hurt Google, and as a result DNT is dead.

we already beat that horse to death. it is not enable by default. it is SHOWN to the user to chose. and the checkbox is enabled by default, because, let's agree on this, microsoft did their homework and that is the best choice to recomend to their users.

it is never enabled against the user knowledge. it is just the correct default when it is presented to them.

and again, by no-one, you mean YOU. you are pissed off that everyone is not disabled on DNT and not even shown the option, and only you and other tech savvy people can benefit.

Do not track, as defined, was pretty meaningless. See the section of the RFC listing the exceptions:

9.3. Exceptions
As a general guideline, exceptions to Do Not Track are warranted when
commercial interests substantially outweigh privacy and verification
interests. The following activities are excepted:
1. Tracking of users who have explicitly consented to tracking, such
as by enabling a checkbox in a preferences menu on the first-
party website of the tracking service.
2. Data obtained by a third party exclusively on behalf of and for
the use of a first party.
3. Data that is, with high confidence, not linkable to a specific
user or user agent. This exception includes statistical
aggregates of protocol logs, such as pageview statistics, so long
as the aggregator takes reasonable steps to ensure the data does
not reveal information about individual users, user agents,
devices, or log records. It also includes highly non-unique data
stored in the user agent, such as cookies used for advertising
frequency capping or sequencing. This exception does not include
anonymized data, which recent work has shown to be often re-
identifiable (see [Narayanan09] and [Narayanan08]).
4. Protocol logs, not aggregated across first parties, and subject
to a two week retention period.
5. Protocol logs used solely for advertising fraud detection, and
subject to a one month retention period.
6. Protocol logs used solely for security purposes such as intrusion
detection and forensics, and subject to a six month retention
period.
7. Protocol logs used solely for financial fraud detection, and
subject to a six month retention period.
To ensure data allowed for only specific uses is adequately
protected, functional entities SHOULD implement strong internal
controls.

I used to feel that blocking online ads was freeloading, but I am increasingly convinced that the online ads are a failed experiment and it's our duty to kill them -- especially when the industry can't even follow through on watered-down self-regulation like DNT.

The crazy thing is that major websites like Yahoo don't even know what ads they are serving. And increasingly online ads are an attack vector for viruses and malware. In January Yahoo was serving malware via their online ads.[1] And in February Google did the same.[2]

And of course there are the major privacy issues with companies tracking us online. I understand that online publishing is important and we clearly need a strong press, but publishing really needs to find a new business model. Online ads are not the solution.

Sure, kill them. I mean, as long as you realize that killing off online ads essentially means opting in to a future where quality content is forced behind a paywall as a matter of course.

And I say this as someone who loathes advertising and the creepy mentality behind them. They're kind of necessary evil. Keeping a tighter rein on what kinds of ads can be served would help tremendously. They need to eradicate that stigma of them being a dangerous vector. Erf.

The important thing to note here is not that Yahoo! is so evil. It is that they are probably one of the few companies in the world that are honest about it. And surely after this outcry, or at least 3/5 comments here are talking about needing warnings on "websites like these" or "now I have a reason to block Yahoo's cookies", surely no other companies will publicly announce the end of DNT support.

And besides, Do Not Track is a black box: they can do whatever the hell they like while our browser merely requests "Would you please not track me even if your site is entirely free and ad-supported?" Because it's not like they're keeping databases on us purely for fun.

Marissa Mayer is getting a little weird in the quest to show she has brought some value to Yahoo.

She runs a company that cares about you and want the "best user experience", so long as it doesn't hurt the bottom line at all. And the next rounds of layoffs are probably not too far away, from everything I've heard.

It's not a surprise, really - Yahoo is a business that thrives on data about advertising targets, much like Google. "Don't be evil," is as much a bunch of marketing bullshit that'll be thrown out the window the moment it becomes inconvenient for the real goal of the enterprise.

I just find the apparent need to hide behind bromides such as these distasteful, particularly when they're not merely empty little phrases, but empty little phrases that are directly contradicted by the actions and interests if the organization that employs them.

she learned at google that this matters little. just see android announcing to you carrier that you use tethering, or the fact that google employers actively REMOVE features from chromium that impact adsense revenue such as disabling referrer, etc.

Chrome's options for DNT are hilarious. For every other option, like spelling, they give you an order of (Yes, No) when you check the box to enable the option. For spelling correction, they encourage you to enable it with the phrasing.

For DNT, they have a lengthy explanation of how tracking is still done and totally helps your experience. Then the reverse the order of the buttons so the default is to cancel out of the operation.

Microsoft effectively destroyed "Do Not Track" by making it the default in their browser, and therefore destroying any notion of "intent" by the user. The day Microsoft made it the default was the day I immediately knew that the Yahoo/Google's of the world would stop supporting it in the future. Clever move by Microsoft in the embrace/extend/extinguish cycle.

DNT is not designed to protect everyone's privacy, it was meant a way to grow a clear sign that people don't want to be tracked. If browsers really wanted to protect people's privacy, they'd block 3rd party cookies by default and show 1st party cookies as a warning.

The default setting should be "No Intent" - I neither make claims as to whether I wish to be tracked/have personalization, nor do I make claims as to whether I do not. A browser should not bake in any claims about what I desire.

Do you mean that when average users use a web site, they intend to be tracked?

The setting has to be either on or off by default. I think that most users, if asked, would like for it to be off. The only reason to leave it to "on" involves advertising doublethink, a.k.a. bullshit.

The reason to be off by default is that you needed the advertisers and publishers to voluntarily agree to honor the DNT flag. They can signficantlly make more money by targeting users based on tracking data (a targeted ad might be worth 10X a non targeted ad). Now you might not like that but, DNT is not a law, following it is completely 100% optional. You could probably even lie and say you follow when you really don't and there is little that could be done (I'm not a lawyer btw).

The advertisers agreed that as long as the flag had to be set manually by the user the would honor it. They made that agreement because it would not impact their revenue significantly. It would be very presumptuous to expect them to voluntarily destroy their own business. Because DNT is optional you need the advertisers and publishers to agree about it. So by making DNT on by default in IE advertisers walked away from the agreement and their is nothing we could do to stop them effectively killing DNT.

Now you mention most users don't want to be tracked, but what are they getting in exchange for being tracked? If you asked the average user would you allow your self to be tracked online to use Facebook I be most would say yes. How about you allow yourself to be tracked on line for 1 free latte at Starbucks/month? Again I think most would say yes.

The title doesn't even make sense. The default was always to track users. Yahoo could have made this sound a lot less disingenuous if they had spun ending Do Not Track support as "this 'standard' is weak, hard for users to understand, and not guaranteed to be implemented by anyone, giving the average browser user a false sense of security."

This post just makes it seem like one of the higher-ups realized that Yahoo's missing out on a chunk of data that everyone else gets and decided to go for a "quick win".

they support safeFrames (like a few other small sites like deviantart). ads cant set cookies at yahoo.com even if they wanted. they render in a cross domain iframe. so they cant do it even if the adserver is compromised.

they are morons for not mentioning this on that announcement. basically, they are just ignoring DNT for the few in house ads that run on front page and such. which being in house, already can track you.

But has there ever been a precise specification of what it means to "track" a user? Does "track" have any finite meaning, or is it just an open-ended plea from the user for everyone to pretend that certain events never happened?

To speak of "tracking" one might mean:

A. Thou shalt not cookie a user.
B. Thou shalt not record plain text log files on a
server-side file system, regarding the nature of these
requests. Thou shalt not persist discrete information
to a relational database, with respect to these
particular HTTP requests.
C. Thou shalt not inspect which IP address HTTP POST
requests originate from, and treat them differently, if
a user proclaims "no tracksies". GET requests will be
treated as read-only requests for static resources. If
the static resources change, I wish to play no part in
such events.
D. Thou shalt neither inspect ANY HTTP requests (PUT,
DELETE, POST or GET), nor serve individualized
resources, regardless of any particular attributes
present in the request. Thou shalt only keep the
specific data I tell you to keep, and destroy
everything else related to my requests. At a later
point in time, I reserve the right to become
irrationally angry about your having kept the *some* of
the data I told you to keep, because, technically
speaking, the DO-NOT-TRACK header is all encompassing,
and supercedes all other instructions. I also reserve
the right to get angry if *your* system does not
perform according to *my* expectations, whatever those
expectations may be, at any particular time.
E. Thou shalt not provide me with any uniquely
identifiable information. I do not wish to receive
information which has not already been provided to
anyone else. Please do not transmit unique information
to me over the wire or over the air. Doing so will
change the state of my system in a unique way, which
I'll eventually have to answer to. If I receive non-
standard resources and information from you, my service
provider and local authorities, may use this against
me, and derive other information from these details. I
may be penalized for knowing or having things other
people do not.
F. This never happened. I don't exist. You don't exist. We
don't know each other. There was never any /index.html
or /default.htm available here. I never asked for it,
and if anyone did ask for it, you just said "404". You
don't know how many people were looking for that file,
or whether it was 5KB or 17MB at any particular time.

One can easily understand how a user might urgently want for one or all of those, or even more stringent restrictions to be adhered to, under certain circumstances, but in some cases, the very nature of the beast is for a given server or cluster to maintain a certain degree of situational awareness, regarding the current state of user activity requested.

Beyond even that, in most cases, for a user to simply request the common courtesy of being forgotten might be unrealistic and completely ineffective from the outset.

I can think of several ways to interpret that. Worse yet, the fact that a user may have cookies turned on, and has sent the request in plain text, across ten other systems beyond my own control (all of which should also respect the user's wishes) completely defeats any realistic expectations of non-disclosure.

An honor system is certainly an admirable aspiration, but sending "do not track" requests by default also creates a general atmosphere of noise from users who may or may not be cognizant of the true nature of their actions.

The knee-jerk idea that cookies are bad isn't good enough. The idea that you can simply ask people to "be nice" also isn't good enough.

Dumb people are always going to be their own worst enemies, by playing the role of low hanging fruit to be preyed upon.

I've always felt that "do-not-track" requests were bullshit, just like the European cookie law was a silly white wash. (servers remember data, it's what they do. businesses exploit their customers for a profit, it's what they do.)

Just like having to opt into a "do-not-call" registry is bullshit. (no one wants to be cold-called by telemarketers, so why is this an opt-in thing?)

Just like anti-virus software is bullshit. (hey, how about you just don't execute code indiscriminately? doesn't that work too?)